Posted
by
CmdrTaco
on Thursday October 07, 2010 @09:19AM
from the just-want-a-damn-rss-feed dept.

eldavojohn writes "Facebook is rolling out some new changes (including groups) that are supposed to liberate user control. But something that might interest Slashdot readers even more is that they now allow you to download all your information from Facebook. That's everything — all your posts, pictures, videos, friend lists, etc. A video from David of the Open Source team at Facebook explains how it will work, although I don't see that option on my profile yet (they are slowly rolling it out). There's not a lot of details yet, but they at least require you to click a link from an e-mail and reenter your password to get this (to avoid spambots harvesting everyone's data and careless use of public computers resulting in data leaks). Perhaps competitors like Diaspora would be interested in using this base information to germinate user seeds?"

I love how people used to bitch that you couldn't get your data off of Facebook (which wasn't even completely true, given Platform and Connect), but now that they added that exact feature, people are bitching that it will allow spammers to get information or that it trains users in some bad way. Can you give them a fucking break? They are honestly trying to add a feature exactly for the demographic here (most users probably don't care about this level of data portability one bit) and all most people can do is still complain.

They would only send these e-mails if you, as an authenticated facebook user, clicked the "Download my account" link.

So an adversary would have to time extremely well the sending of the spam link in order for the user not to be suspicious.

Even then, if facebook wanted to further deter account download masquerade phishing, they could prompt for some kind of comment at the point of requesting an account download, which they could recapitulate in the e-mail to show the request was legitimate and came from you.

If everyone knew what they're doing then that'd be fine but the average user is an idiot. They will click an email link supposedly from their bank warning them that there's a problem with their account. Then they will enter all the account login information. If people do this with bank info, they're going to do it with facebook info as well. This happens all the time.

Dude, it is one of the basic tenets in computer security to not click on links in e-mails that take you to websites where you enter login credentials.

Those kinds of e-mails are known as phishing and spear phishing attacks. They are very common and very dangerous.

Facebook has had no end of security problems. Now with the publicity that they will be sending out e-mails that have a link, wait a few days and see what hits in computer security news.

If you're going to train people to be security conscious, you can't half-ass it. "Don't click on e-mails that take you to websites where you enter login credentials" is most definitely the wrong message. Just because there are lots of phishing e-mails doesn't mean that every such e-mail is phishing, and it actually trains people to start drawing invalid conclusions: "well, this link didn't come by e-mail, so it's ok." Phishing websites can just as easily lead you to a malicious page where you enter your credentials.

What you actually need to be teaching people is to go to the link from the e-mail, grab the ssl certificate and check the the company name, the verifying authority, and the fingerprint. The independently go to the main website where the e-mail claims to be from, in this case Facebook, and see if the signature matches. If it does, you can type in your credentials. There is no half-assing this procedure. Anything short of it is vulnerable to the attacks you are so concerned about.

All that and it didn’t even occur to you to point out how much easier it’d be to just double check to make sure the domain name in the URL in the address bar was correct; barring the possibility of DNS poisoning it’d be just as safe...

Your doing it wrong. Or at least applying it wrong. In your want to find something incorrect with Facebook you're ignoring the fact that sending an email to the user to confirm they are who they say they are before they are allowed to do things like change their password or download all their data is a tenet of website security in and of itself. These emails are always accompanied by the message "If you did not request this change/email then disregard this message and contact our fraud/tech/blah departme

Spear phishing is phishing targeted at a single individual. Since its in Wikipedia and all over the Interwebs and all those black hatted types talk about I'm guessing the poster didn't make it up. Then again maybe he is one of those black hatty, Wikipedia writing trolls making s***t up in a conspiratorial way. You never know...

I'll give them a break when they stop reseting options with new privacy policies or ToS that lowers the ability for users to lock down their accounts and defaults all options to the most open setting.

Over the summer, they added a "master control" which you can set to "friends only" (or several other settings). This will make all of your current settings "friends only" and will also make any future setting default to "friends only".

I'll give them a break when their account deletion process no longer requires users themselves to manually go through and delete everything they put on the website.

I deleted an account a few months ago and when I recently accidentally logged in to it, Facebook welcomed me back and all the info I had in my profile was still there. When I ask to delete my account, I mean everything.

Every heard of phishing, bro? This is the most common tactic used by phishers to gain info to stuff like bank account or website login info. Bad idea by Facebook in terms of the implementation, not necessarily the concept.

It wouldn't be that hard to do it within the website without this email loop which is dangerous. Just require the user to re-enter their login credentials in the download my profile section of the website. You will already know if you're on facebook's website at that point.

Well, the idea is probably to use the email as additional security so that even if someone has your password, he cannot use this function, because you get a mail.

However, they could just send an unique code which you have to enter at the facebook get-data page, without a link. You already navigated to that page (otherwise you'd not have gotten that mail), and if you closed it in the mean time, you know how to get back there (after all, you found it once; and if you fear to forget how to get there, just book

If your account gets hacked, they still need to have your e-mail hacked. The link to download the zip file is later sent to your e-mail address when the processing is done. Zipping up videos and images takes a while so basically you request this data and they put it in a queue and an hour/day/week/month later you get your data to download e-mailed to you in a link and you re-enter your user password. I thought I described this in my summary but that means that even if your account is hacked they would need access to your e-mail and for quite sometime unless you had already requested it and left that e-mail in your account. Yes, this means that if they know the e-mail associated with your Facebook account, they can just hack that and then request a new Facebook password sent to that account and then initiate the profile zipping.

Let's say their servers get hacked. Well, the data is still not zipped up unless they are retaining that data after someone requests it. So at most they'll have access to whoever is waiting to retrieve their data. And it's going to be a lot of data. So there are a lot of logistics involved to get access to only a few random person's data. And even if the hackers are smart enough to invoke the zip script for every single account, that's not something that will happen overnight.

Basically if they have access to your account or the Facebook servers, they already have access to everything on your profile or Facebook as a whole (respectively). So while this presents mild security issues, it's already assuming that everything is compromised... it just presents the possibility that a hacker could more easily zip up your data... and then that requires time... and access to another resource of yours. For me, this risk is acceptable consider the benefit involved. As I mentioned, I suspect this will allow you to move the history of your profile to another site, which is really really good.

To be fair, we are probably talking about people who use the same password for everything.

Well then in your suggested case, to be fair, where is the real security issue? Is it Facebook or is it the user?

The best and most flawless computer security systems will always have a human being as a security hole. The best 'hackers' reported in the news these days are those that use social hacks like sweet talking and shoulder surfing to gain access to very secure systems.

I wouldn't go around faulting Facebook for catering to the lowest common denominator. Their security measures are okay.

Well, I was mostly addressing the fact that if someone was able to "hack" a facebook account, there is a high probability that the account password will match the email account that is associated with the facebook account.

It's the users' fault for re-using passwords which aren't that great, and its the users' fault for posting all their personal data on facebook, too. So, yeah, its the users' fault. It usually is.

If I hack your FB account, can't I change the email associated with it?

Yes, but the original e-mail address associated with your account gets e-mailed a notification allowing that to be blocked and if you do block it you have to change your password:

Hey XXXXX,

We've received your request to associate your account with the email addressmalicious@hotmail.com.

An email was sent to malicious@hotmail.com to confirm the request and accountownership. To confirm that email address, just click on the confirmation linkin the email sent to malicious@hotmail.com.

However, if that address is not familiar or you did not request to change yourcontact email, please follow this link to cancel the request:http://www.facebook.com/cancel_contact.php?t=XXXXX&u=XXXXX...(If clicking on the link doesn't work, try copying and pasting it into yourbrowser.)

If you cancel the contact email change request, your account will remain withyour current email (goodguys@umn.edu) and you will be asked to reset yourpassword as a security precaution.

Thanks,The Facebook Team

Now, you'd probably prefer that the original e-mail address has to okay the transition but that's how they have it implemented. So you're right, they could change the account associated with it if they know your Facebook password (it asks you at every step of the way). Then they could request the zip and wait to get the e-mail. But if you checked your e-mail in that time and canceled the new e-mail and changed your password you'd be safe.

That's definitely something they could do -- block the request of a new e-mail until an old one is okayed. But then you run into the trouble of someone hacking your e-mail account and gaining access to your Facebook account that way. In that case, they could change your Facebook account over to their e-mail account and then okay it in your hacked e-mail account. Once that's done, how would you reclaim your profile? They would always have the account associated with it.

Also if your old e-mail gets hacked and you have no way of getting it back, you're kind of at the mercy of the person who has your old e-mail as you'll never be able to change the e-mail address associated with your Facebook status and if you do, you'll tip them off that they also have your Facebook account to do with as they please.

What it usually boils down to is if your account is compromised, your account is compromised.

Even now, (not sure about FB), some sites realize that you may not have access to your old email account. A DoS to the old FB email (send a bunch of spammy, mostly legitimate looking 'someone hacked your FB account' emails, but with.ru links), will get most people to ignore the 'real' one, preventing them from noticing the change of email on their account.

They implemented this code/functionality so that when requested they have an automated way to provide the entire details an interested parties account to whatever law enforcement agency requested it. In a grand PR scheme, they figured that it would eventually be leaked this functionality exists, so they present it as a feature to users who then get used to the idea of it being possible. So finally, later on, when it is discovered that they send those pretty pr

Well this certainly makes it much more easier to move your nonsense-data around, but how long untill all the data is available on piratebay?

I guess that depends on how long it takes a clever virus to start looking for traces of these downloads on someone's PC and start harvesting the information. My guess is less than 60 days... but it may not be on PB first as I'm sure there are other 'markets' for this type of information.

It would have to be a permanent disabler then, or at least require external verification to re-enable (email/text/voice message ID, whatever). Not that there's much point in disabling it anyway... webpage scraping isn't that hard.

I'll have to give FB credit here where it is due. There have been major complaints that your FB data isn't portable, so they have you stuck in a lock-in. This is clearly a response to those complaints. I'll be the first to hate on FB, and I still don't have an account, but we can't have it both ways bro. This brought me one step closer to signing up.

Now the phishers can just mock up the Facebook e-mail. Click [this link], and enter your Facebook password to finish downloading your information. If you didn't request a download, click [this link] and enter your password to change your settings and prevent this from happening in the future.

Nowadays you can download most of it as JSON: http://developers.facebook.com/docs/api [facebook.com]. If you're logged in, the links on that page will automatically be populated with authorization keys, so you can just right-click-save-as.

I've got no faith in the Diaspora project. From what I hear, its a slow, buggy conglomeration that doesn't even really solve the problem at hand. It requires an obscene amount of gem dependencies, and it doesn't even run on Apache. It seems like it was more of an exercise in raising money by crowd sourcing, because this project is turning out to be bigger vaporware than DNF.

Maybe, but it already looks like Diaspora development is starting to slow down. OK, there have been some commits today, but I expected to see more activity than what's currently going on.

Well, following the release of the Diaspora source code everyone did kind of rip them apart [slashdot.org] (myself included [slashdot.org]). We all sort of hoped that such criticism would be constructive and the developers would redouble their efforts or seek more help or new developers would aid them.

It's equally likely that after receiving black eyes instead of kudos, developers left Diaspora in droves. It might end up being a failed project with important lessons learned [slashdot.org].

Your stupidity is astounding. A 2 second Google search shows that people do indeed care about hacking into Facebook accounts, so I'm guessing you just pulled that out of your ass because, well if you think it, it must be true!

Information is everything these days. It would also be easier for a spammer to break into your account and get one nice neat little download instead of scraping back years of data.

This tool is a download option for the average user. Its also a giant gaping security breach waiting to ha

On the other hand, scraping is much safer because it doesn't send the user a email account with either the link to the download (which the spammer would have to somehow get access to) or a confirmation to change the email address.Both would get the user suspicious and possibly cancel the request and change the password.

Scraping, as long as you have the password, is much safer. Yes, it may take a while, but that's what webspiders are for. At least the user won't be contacted to confirm a request.

Chances are if they have the FB password they already have access to the users e-mail account. Lets face it, the average user uses one password for most of their online services. Why scrape when you can just download everything in one shot? If the download doesn't work (i.e the user was smart enough to use different passwords) then fall back to scraping the old fashioned way. You can even confirm access to the e-mail account before trying the download, meaning it would be risk free to try.

Yes, but how is that a "giant security hole" compared to what they could already do? Being able to download all at once doesn't really change the fact that they'll get the data. It doesn't make FB any less safer than it was.

They can download all of the data, almost instantly, and store it offline or release it into Torrentland. Scraping takes time, and prolonged access to the account. Now they only need access for a few minutes and they have everything. Changing your account password won't help since they already have everything they need and can freely and safely browse it offline.

I can totally understand why they made this move, and overall it is probably a good thing (Makes getting away from FB when it comes crashing down a

The question is, does it really allow you to download all of your data? Does it let you download everything anyone has ever posted on your profile? If it did, this could give you some idea of what Facebook has stored about you.

I don't want to have to continuously delete tags of myself, remove posts from my wall and other annoying things while I'm trying to stay off FB. It's like a god damned disease you can't get rid of. Worse yet, my wife's profile has the delete option but she's not about to use it.

One thing that seems to be in the same update is removal of the "Clear Chat History" button in the chat window.There are thousands of complaints posted about this already.It doesn't take much imagination to see how not having this feature when one is expecting it can lead to comedy.

This is absolutely shocking. For the past few years it seems every article I have read has advocated that data be soley kept 'in the cloud' and that users will never need to download their data to a perosnal machine ever....

'The Cloud' is hype. Just like all the other hyped techs in the last 15 years (ATM will change networking, Java will be out OS, thin clients will rule the business world)

I? do think it will be interesting if real competition comes to FB how this will be used to transfer data.

I can't think of any compelling reason for Facebook, as the clear market leader, to provide this service. I'm glad they did though, and it makes me feel a lot more comfortable about posting pictures, etc. there for family members without having to keep a mirror somewhere else.

I saw they're also adding some type of sub-networks or groups, so you can make a post about video games and leave out your parents, or congratulate someone about a job offer without including their coworkers. I can think of a lot of tricks to making a good implementation of this, so can't wait to see how they did it.

Those are probably the two most important features that have made me frown on facebook, so seeing both in one day is a big surprise.

I can't think of any compelling reason for Facebook, as the clear market leader, to provide this service. I'm glad they did though, and it makes me feel a lot more comfortable about posting pictures, etc. there for family members without having to keep a mirror somewhere else.

Maybe the second sentence is a reply to the first? For most people it doesn't matter, but for some, being able to move in the future makes them more likely to join now.

Thank you Facebook for supporting data portability and not use it as lame anti-competitive lock-in feature like Yahoo and M$ does.. I don't care how other slashdotters think, but you will earn more of my respect as you make your platform more open and release more open source projects. Well done for your effort, keep it on!

Give users a quick link to display a -clean- Facebook page and news feed. A lot of people are getting fed up with seeing non-stop wall posts for farmville and news feed items and application requests. I've known several people to leave the site for this exact reason. Sure, you can block various applications from showing up on your news feed, but as far as I know you can't hide them from other people's pages. Even if you could do this, it would be tedious to constantly filter

Facebook has 500 million users. At this point, they have few places to go, but down is a very likely possibility if they don't extend themselves into the fabric of the net and collaborate so they will always stick around in some form or another. Zuckerberg reportedly even made a contribution to the Diaspora guys in an undisclosed amount because he thinks the idea has merit... or, more likely, he wants to make sure there's cross-compatibility for years to come.

One other point, sort of tangential to the topic... Some of the comments in preceding discussions about Diaspora keep falling back on the "oh sure four guys in a garage with no professional experience EVER got a project off the ground" sort of sarcasm. Ok, I know it's all wonderful and cool to us nerds to rely on sarcasm and cynicism, but a little perspective should be in order as well: Facebook, Apple, Google, Yahoo and other "garage" startups... There's a reason there's only a handful of them. There are a ton of coders, but not everyone is Harvard educated, massively talented, in the right place at the right time or any combination of these. Not every coder who thinks he has a great idea can execute...... Conversely, not everyone needs to be a Sergey Brin, Mark Zuckerberg or Steve Wozniak. In this Age of Entitlement, we all like to think life is a choice between either being rich or being nothing... but there's plenty of respectable room in between, even if all your project does is get you solid employment at someone else's company.

Anything at all to make people think they actually own and control the things they post to Facebook.

See? I can get it all back, that means it's mine.....

Facebook's had a run of bad press regarding lack of user control over posted content. This is just a feature nobody will use, dedicated to persisting the illusion of control that hides the fact that Facebook is "a place for Friending marketers".